dcrat | b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c

Analysis

max time kernel
54s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22-03-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
Size

303KB
MD5

91971721b53c791bd1e4bef7ae44c4fc
SHA1

ffd271ebad1b0afae61b36a62d63352d38c703bd
SHA256

b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c
SHA512

25675855e0f4bb9727a1b7ffe63488f3a3a8bc85120bfd8be3187913dfd03d0db13f9f25fc79d06d3ee871b9e92b979df3a2a11b8e52812fcec858813d81a0ad
SSDEEP

3072:oQciUCwAoPh+BYYCEXWHbbk9B/armuE/1K8nD2ey7AOD65xL4dK:kOIhmhbL/uER2ey752L44

Score

10^/10

dcrat djvu glupteba smokeloader pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0857PsawqS

rsa_pubkey.plain

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeb119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exeDB6D.exe

pid	process
404	schtasks.exe
5032	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\92332909-28db-4278-a276-cca04ed24614\\DB6D.exe\" --AutoStart"	DB6D.exe

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3496-22-0x0000000004C00000-0x0000000004D1B000-memory.dmp	family_djvu
behavioral2/memory/1600-21-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1600-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1600-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1600-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1600-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1140-41-0x0000000002FF0000-0x0000000003091000-memory.dmp	family_djvu
behavioral2/memory/1096-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1096-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1096-47-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3488-116-0x0000000005380000-0x0000000005C6B000-memory.dmp	family_glupteba
behavioral2/memory/3488-118-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/3488-193-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/4064-195-0x0000000005380000-0x0000000005C6B000-memory.dmp	family_glupteba
behavioral2/memory/4064-196-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/4064-404-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/3568-452-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/3568-460-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/3568-466-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/3568-471-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/3568-475-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/3568-479-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba
behavioral2/memory/3568-483-0x0000000000400000-0x000000000312D000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4948 netsh.exe
Deletes itself 1 IoCs

Processes:

pid process

3340
Executes dropped EXE 7 IoCs

Processes:

DB6D.exeDB6D.exeDB6D.exeDB6D.exe50E.exe1C22.exe2A2D.exe

pid process

3496 DB6D.exe
1600 DB6D.exe
1140 DB6D.exe
1096 DB6D.exe
1108 50E.exe
4652 1C22.exe
3488 2A2D.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

896 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4948	netsh.exe

pid	process
3340

pid	process
3496	DB6D.exe
1600	DB6D.exe
1140	DB6D.exe
1096	DB6D.exe
1108	50E.exe
4652	1C22.exe
3488	2A2D.exe

pid	process
896	icacls.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral2/memory/2640-463-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3924-467-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3924-476-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DB6D.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\92332909-28db-4278-a276-cca04ed24614\\DB6D.exe\" --AutoStart"	DB6D.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 drive.google.com
13 drive.google.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.2ip.ua
14 ip-api.com
1 api.2ip.ua

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

flow	ioc
3	drive.google.com
13	drive.google.com

flow	ioc
5	api.2ip.ua
14	ip-api.com
1	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

DB6D.exeDB6D.exe1C22.exe

description	pid	process	target process
PID 3496 set thread context of 1600	3496	DB6D.exe	DB6D.exe
PID 1140 set thread context of 1096	1140	DB6D.exe	DB6D.exe
PID 4652 set thread context of 2060	4652	1C22.exe	RegAsm.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2632 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1752 1096 WerFault.exe DB6D.exe
4872 1108 WerFault.exe 50E.exe

pid	process
2632	sc.exe

pid	pid_target	process	target process
1752	1096	WerFault.exe	DB6D.exe
4872	1108	WerFault.exe	50E.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeb119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5032 schtasks.exe
404 schtasks.exe

pid	process
5032	schtasks.exe
404	schtasks.exe

Modifies registry class 9 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-627134735-902745853-4257352768-1000\{C135F79C-F9C8-406A-B11B-04FF55E6C07E}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe

pid	process
3532	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
3532	b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340
3340

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe

pid process

3532 b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

RegAsm.exepowershell.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeDebugPrivilege	2060	RegAsm.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	3340
Token: SeCreatePagefilePrivilege	3340
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeCreatePagefilePrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeCreatePagefilePrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeCreatePagefilePrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeCreatePagefilePrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeCreatePagefilePrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeCreatePagefilePrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeCreatePagefilePrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeCreatePagefilePrivilege	1436	explorer.exe
Token: SeShutdownPrivilege	1436	explorer.exe
Token: SeCreatePagefilePrivilege	1436	explorer.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

explorer.exe

pid process

1436 explorer.exe
1436 explorer.exe
1436 explorer.exe
1436 explorer.exe
1436 explorer.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

explorer.exe

pid	process
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1436 explorer.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

cmd.exeDB6D.exeDB6D.exeDB6D.execmd.exe1C22.exe2A2D.exe

description	pid	process	target process
PID 3340 wrote to memory of 2740	3340		cmd.exe
PID 3340 wrote to memory of 2740	3340		cmd.exe
PID 2740 wrote to memory of 3992	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 3992	2740	cmd.exe	reg.exe
PID 3340 wrote to memory of 3496	3340		DB6D.exe
PID 3340 wrote to memory of 3496	3340		DB6D.exe
PID 3340 wrote to memory of 3496	3340		DB6D.exe
PID 3496 wrote to memory of 1600	3496	DB6D.exe	DB6D.exe
PID 3496 wrote to memory of 1600	3496	DB6D.exe	DB6D.exe
PID 3496 wrote to memory of 1600	3496	DB6D.exe	DB6D.exe
PID 3496 wrote to memory of 1600	3496	DB6D.exe	DB6D.exe
PID 3496 wrote to memory of 1600	3496	DB6D.exe	DB6D.exe
PID 3496 wrote to memory of 1600	3496	DB6D.exe	DB6D.exe
PID 3496 wrote to memory of 1600	3496	DB6D.exe	DB6D.exe
PID 3496 wrote to memory of 1600	3496	DB6D.exe	DB6D.exe
PID 3496 wrote to memory of 1600	3496	DB6D.exe	DB6D.exe
PID 3496 wrote to memory of 1600	3496	DB6D.exe	DB6D.exe
PID 1600 wrote to memory of 896	1600	DB6D.exe	icacls.exe
PID 1600 wrote to memory of 896	1600	DB6D.exe	icacls.exe
PID 1600 wrote to memory of 896	1600	DB6D.exe	icacls.exe
PID 1600 wrote to memory of 1140	1600	DB6D.exe	DB6D.exe
PID 1600 wrote to memory of 1140	1600	DB6D.exe	DB6D.exe
PID 1600 wrote to memory of 1140	1600	DB6D.exe	DB6D.exe
PID 1140 wrote to memory of 1096	1140	DB6D.exe	DB6D.exe
PID 1140 wrote to memory of 1096	1140	DB6D.exe	DB6D.exe
PID 1140 wrote to memory of 1096	1140	DB6D.exe	DB6D.exe
PID 1140 wrote to memory of 1096	1140	DB6D.exe	DB6D.exe
PID 1140 wrote to memory of 1096	1140	DB6D.exe	DB6D.exe
PID 1140 wrote to memory of 1096	1140	DB6D.exe	DB6D.exe
PID 1140 wrote to memory of 1096	1140	DB6D.exe	DB6D.exe
PID 1140 wrote to memory of 1096	1140	DB6D.exe	DB6D.exe
PID 1140 wrote to memory of 1096	1140	DB6D.exe	DB6D.exe
PID 1140 wrote to memory of 1096	1140	DB6D.exe	DB6D.exe
PID 3340 wrote to memory of 1108	3340		50E.exe
PID 3340 wrote to memory of 1108	3340		50E.exe
PID 3340 wrote to memory of 1108	3340		50E.exe
PID 3340 wrote to memory of 2208	3340		cmd.exe
PID 3340 wrote to memory of 2208	3340		cmd.exe
PID 2208 wrote to memory of 4692	2208	cmd.exe	reg.exe
PID 2208 wrote to memory of 4692	2208	cmd.exe	reg.exe
PID 3340 wrote to memory of 4652	3340		1C22.exe
PID 3340 wrote to memory of 4652	3340		1C22.exe
PID 3340 wrote to memory of 4652	3340		1C22.exe
PID 4652 wrote to memory of 2060	4652	1C22.exe	RegAsm.exe
PID 4652 wrote to memory of 2060	4652	1C22.exe	RegAsm.exe
PID 4652 wrote to memory of 2060	4652	1C22.exe	RegAsm.exe
PID 4652 wrote to memory of 2060	4652	1C22.exe	RegAsm.exe
PID 4652 wrote to memory of 2060	4652	1C22.exe	RegAsm.exe
PID 4652 wrote to memory of 2060	4652	1C22.exe	RegAsm.exe
PID 4652 wrote to memory of 2060	4652	1C22.exe	RegAsm.exe
PID 4652 wrote to memory of 2060	4652	1C22.exe	RegAsm.exe
PID 3340 wrote to memory of 3488	3340		2A2D.exe
PID 3340 wrote to memory of 3488	3340		2A2D.exe
PID 3340 wrote to memory of 3488	3340		2A2D.exe
PID 3488 wrote to memory of 2480	3488	2A2D.exe	powershell.exe
PID 3488 wrote to memory of 2480	3488	2A2D.exe	powershell.exe
PID 3488 wrote to memory of 2480	3488	2A2D.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe
"C:\Users\Admin\AppData\Local\Temp\b119f003f9fca28111b386401a9da65eb1b6b36f6824b2145188aed2bacada1c.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CB8D.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\DB6D.exe
C:\Users\Admin\AppData\Local\Temp\DB6D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Local\Temp\DB6D.exe
C:\Users\Admin\AppData\Local\Temp\DB6D.exe
2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\92332909-28db-4278-a276-cca04ed24614" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:896

C:\Users\Admin\AppData\Local\Temp\DB6D.exe
"C:\Users\Admin\AppData\Local\Temp\DB6D.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\DB6D.exe
"C:\Users\Admin\AppData\Local\Temp\DB6D.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 600
5⤵
- Program crash
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1096 -ip 1096
1⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\50E.exe
C:\Users\Admin\AppData\Local\Temp\50E.exe
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1160
2⤵
- Program crash
PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A5E.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1108 -ip 1108
1⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\1C22.exe
C:\Users\Admin\AppData\Local\Temp\1C22.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Users\Admin\AppData\Local\Temp\2A2D.exe
C:\Users\Admin\AppData\Local\Temp\2A2D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Users\Admin\AppData\Local\Temp\2A2D.exe
"C:\Users\Admin\AppData\Local\Temp\2A2D.exe"
2⤵
PID:4064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:3172

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3760

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:3568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4792

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:404

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:1308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:1500

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:5032

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:3708

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:2632

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4320

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:2568

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3980

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:836

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3916

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:2356

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:4648

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
1061bb07ec7c9245b10b151020288405

SHA1
ddde8d5f46297baaac76200f2fe78172ac2624f1

SHA256
a5ea5d83cc08ddfccb8ef9ed6fbd184c730f6ed92e9f397a35470b57a89f0541

SHA512
23deb6de48bca364a080200cec3c56a4002796d8350456782dce318c635c2985db53624edf8262f9a82f6bc88eca8e99bcfecf30cd5de916cc8a340fcf2744b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C22.exe
Filesize
124KB

MD5
15e99fef6ef1009225f7c4c6e150be76

SHA1
89bc8a468138da2fac12db6a0fb7b93ffd8703c3

SHA256
11d03ca1f0e3a488cd6ce3b2db917f470218473ed7cbbe75b1e7bf301ea23269

SHA512
3b8ef63d2f08ef6dc0d74e596c23afaa701b22d8dbf52fc1d073b0d285256f340587d9a933d7eb664f2a79df9e0576fa6737a9919304e67150e39e3d51c10480

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A2D.exe
Filesize
2.2MB

MD5
28d85371f8cb2c86973febb4e6478248

SHA1
9e6615f8b926c655a94fc3ed96a9d1ee59a18ba4

SHA256
c1c5071e6e93022f2a43f840cee48365f8f156707f05c247354ecf67e24f76f6

SHA512
8485a3ca78bee520f26126dd4c84e6bdee45ca08a274b08ab673fbbe81286dff7e2464832b4d0fb179efd83a57bb422511e25334c616ac15213f036e4925589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A2D.exe
Filesize
2.2MB

MD5
65d530dbab4d3951fe00e8473ac7397f

SHA1
db9a0c5e82aecd64e6c7bd83a55701b565e91491

SHA256
c2e087d5fc48c7c0ccd2c6d55b74a36a1d3476e7e189774667c4fc00a4dcf38e

SHA512
d5d51b731ef2bfebfb34e8ee4eb78586c15b5e894d40d9ba91cca074a9a58058d9b985c7e2a709c54aaa8792fdf40a094282ab2b5ae98905564e0a4395827571

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A2D.exe
Filesize
2.9MB

MD5
618715ab7d356c317b41ea7133444ab4

SHA1
36a8ad8073e31b06068ba1044d619b4f11092346

SHA256
4b0dd81c1af7a9a8eaefbabca025280273e4988050443ed365545cf27d35cada

SHA512
b0f2264590bb715eeadf9cc3e978102d9d47310d53234624123aece14ee0673314d6f5c368f2b359b28c277486c06d9ac09faf6fec73fb619f9341a3a8545bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\50E.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB8D.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB6D.exe
Filesize
802KB

MD5
b7f8d4ff366d2f244f3473c15209eb57

SHA1
b3b17090c8920ef0b9218f6c22319189da7700f8

SHA256
04af6919d8273c5f76e4e7fc88a0b7ce74c3bcbe8e26348268f19d6dff1d1ee7

SHA512
2bab537580010644831ad212bbd72e6de2304abc7ca990db02b6c5c7f5e46bff08a4b13a78eb7156246815bd66c44c920c27fc5bac48be7405ec2920e6bb9cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3azr3bds.zyp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
28ae9dcb8f737a4bcbc0b87bf4899688

SHA1
35535d5fa28df6bcbea2957bb5f0efc8d83e9f59

SHA256
fbea2b4bed802db1a6850cdce4fe6331b0914e36068c10e420d4498c4e6fc746

SHA512
08107aaf305d55acd022dd83be59dec34135aa46de43f14c90fa72fda6143f474962e9c3fe7ed862fdd39878ad4e2b1a409020eb3043454b7adeef2826722399

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
9dffbc9cfcbf79aa2faca6dc2fa86f7d

SHA1
3b0e9eb0f15445acd512aee7f07b7096784479e4

SHA256
4755e72771013f0061918232c995da979dde0e130e66987fa14999d99470f0e9

SHA512
e05c8960f9bdf24bb224535f32318de045546b7832236b64e90dc89331d5c2955d5624f70ca689fa9cc037d16c27ff7b177b37c5f09bb322bd4335e5b81a4382

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
9b9f81a162abef1640b3273d3e0fafb9

SHA1
10f3d74101dcd5404843aab3e0583627940a741f

SHA256
47b70499a48e9bcbd2d0045afd24a234fa3555d944c40025d04135ebbc589909

SHA512
c0410546bb21119e09c5fdbb2020cef62ee912ed44ee5ef55fe00c5fc2b952a2fb6bc9b35a6235c3a8b5bfc7ecff225fa4b18e63d812dcf2ef857df9ad549936

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
41da0962848d4970335b91e8846b146d

SHA1
364180c7ce76c511eb9b377a02d83f8bbb122740

SHA256
2fe12a059c1834e15821581302e4a203f9b6d57816ec4cac2b9a9bbfbef4121c

SHA512
7ffde47ecf3ef97ef29d22cb8bd5f833c2d54fcf27588fa600a73e34816f60dcf43ab1638f37cfe228e55d2547a779dc5471610627f83fea1479b9df91e7c2e6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
2bfd8286cd857736d684be8c6216e259

SHA1
5127fe0700e586ce335d70dcebb8781912625ff7

SHA256
a37da44f289025676b8ba8f69fd943d92c61692c16fcf6b99f6c737ad9c554b3

SHA512
082080a51b2a2851ccaa9d823494d15596d4c1cf3c7648f503cea396e2c09674f01c21b74ba6de9f60a76bb20c3e877d0109827115621405bdcd2eac1c1645c3

Download Submit
C:\Windows\rss\csrss.exe
Filesize
2.4MB

MD5
46b5cb061626827c47e400b64b0db419

SHA1
25b0b5bd8c42e8e245cbcf5cc52c8a99e3276275

SHA256
1b3f45401543f659d6b7958c8de78180f35905c3a7d143fbbc19957839deddd3

SHA512
1db698e9570bcd969b597372e60851edb3f502c370b8ae6b3ab6e14cb7ee71c9ff35596e5d596c5b68276693d59fca6b8d3aeac91c14f6694f8b80bfeaf9ec2c

Download Submit
C:\Windows\rss\csrss.exe
Filesize
2.3MB

MD5
177144830701351ec6f284e1960822ed

SHA1
2a95f5f5ae0df265892145b089f3c651f72dee10

SHA256
c2e3091b39861648db251053f95d8e89f7dfa99396102de4f6ef299522543c33

SHA512
d757bf78fd43c3bd2409ea6f527bcc5e8b81e3148bd35f3210312b6cc9337467cb644543dd0ee3754a90fa00a3c4d40522b67cb3f218eecfb1a8ecb80a426ec9

Download Submit
C:\Windows\windefender.exe
Filesize
1.3MB

MD5
5aac12f2af2e35b2452328524f0cc8b6

SHA1
2f4c7c8e7e2b137f42b710e972fcdea9ba392d5f

SHA256
a3b51de3c013a6cd93930d0216e435ccbfa8dde52b33abff95f05e9ed6888df4

SHA512
eab9b5ecf1e3a20f2260872f38c14a444317410a3f6fc85d9d736d1d2969adbdfa666984c4ac407f3561b440936b9fac2e6b0e0944967fe0aa52ac7f3b74cb3d

Download Submit
C:\Windows\windefender.exe
Filesize
1.5MB

MD5
60843137fa09f0a766e07d91abed2461

SHA1
5cb5ce96c72cecd90c9ff4d9f4279d8fd2bf4407

SHA256
f987fce03415d27abbbe7b207bed21e64cf950d7bf0fba399425b801ce057349

SHA512
6fa9d772db9eb577230454a78977ef81d7f8a45688eff2555cd6ba5d8bc257a054647c819907630b0d8b1e3cfc6f93461068cdfd9e87de4c1c4595994d314470

Download Submit
C:\Windows\windefender.exe
Filesize
1.1MB

MD5
8c77b1c74d9206e92be7b9401e68aaee

SHA1
a8c3f00af174b4d9c6c4c23f0b912ac4d22e67e4

SHA256
ad95a4c6050e8683db45d39453a0465213dc597aa85dfdc580cfb430ee13eee9

SHA512
1387819e030211e3b8963a5530b86aefd9a2ab322c44e75307f17af7195e772d50d90c99454203c6069aba826fb1cbefb32048c9964c51a84037486f108391b1

Download Submit
memory/1096-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1096-47-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1096-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1108-58-0x0000000000150000-0x0000000000E35000-memory.dmp

Filesize
12.9MB

Download
memory/1108-75-0x00000000030D0000-0x0000000003110000-memory.dmp

Filesize
256KB

Download
memory/1108-71-0x00000000030D0000-0x0000000003110000-memory.dmp

Filesize
256KB

Download
memory/1108-74-0x00000000030D0000-0x0000000003110000-memory.dmp

Filesize
256KB

Download
memory/1108-117-0x0000000000150000-0x0000000000E35000-memory.dmp

Filesize
12.9MB

Download
memory/1108-76-0x00000000030D0000-0x0000000003110000-memory.dmp

Filesize
256KB

Download
memory/1108-68-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1108-67-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1108-64-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/1108-66-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/1108-65-0x0000000000150000-0x0000000000E35000-memory.dmp

Filesize
12.9MB

Download
memory/1108-70-0x0000000000150000-0x0000000000E35000-memory.dmp

Filesize
12.9MB

Download
memory/1108-69-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1108-63-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/1108-73-0x00000000030D0000-0x0000000003110000-memory.dmp

Filesize
256KB

Download
memory/1108-72-0x00000000030D0000-0x0000000003110000-memory.dmp

Filesize
256KB

Download
memory/1140-41-0x0000000002FF0000-0x0000000003091000-memory.dmp

Filesize
644KB

Download
memory/1600-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1600-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1600-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1600-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1600-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2060-108-0x0000000006B20000-0x0000000006BB2000-memory.dmp

Filesize
584KB

Download
memory/2060-104-0x0000000005E70000-0x0000000006416000-memory.dmp

Filesize
5.6MB

Download
memory/2060-100-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2060-114-0x00000000069B0000-0x0000000006A16000-memory.dmp

Filesize
408KB

Download
memory/2060-148-0x0000000073980000-0x0000000074131000-memory.dmp

Filesize
7.7MB

Download
memory/2060-107-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/2060-106-0x0000000073980000-0x0000000074131000-memory.dmp

Filesize
7.7MB

Download
memory/2480-138-0x0000000006090000-0x00000000063E7000-memory.dmp

Filesize
3.3MB

Download
memory/2480-152-0x000000006F240000-0x000000006F597000-memory.dmp

Filesize
3.3MB

Download
memory/2480-123-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/2480-124-0x0000000005780000-0x00000000057A2000-memory.dmp

Filesize
136KB

Download
memory/2480-125-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/2480-122-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/2480-190-0x0000000073980000-0x0000000074131000-memory.dmp

Filesize
7.7MB

Download
memory/2480-121-0x0000000005980000-0x0000000005FAA000-memory.dmp

Filesize
6.2MB

Download
memory/2480-139-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/2480-140-0x0000000006580000-0x00000000065CC000-memory.dmp

Filesize
304KB

Download
memory/2480-119-0x0000000002D40000-0x0000000002D76000-memory.dmp

Filesize
216KB

Download
memory/2480-143-0x0000000006AC0000-0x0000000006B06000-memory.dmp

Filesize
280KB

Download
memory/2480-145-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/2480-187-0x0000000007C90000-0x0000000007C98000-memory.dmp

Filesize
32KB

Download
memory/2480-150-0x0000000007960000-0x0000000007994000-memory.dmp

Filesize
208KB

Download
memory/2480-120-0x0000000073980000-0x0000000074131000-memory.dmp

Filesize
7.7MB

Download
memory/2480-151-0x0000000074860000-0x00000000748AC000-memory.dmp

Filesize
304KB

Download
memory/2480-161-0x00000000079A0000-0x00000000079BE000-memory.dmp

Filesize
120KB

Download
memory/2480-186-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

Filesize
104KB

Download
memory/2480-164-0x00000000079C0000-0x0000000007A64000-memory.dmp

Filesize
656KB

Download
memory/2480-163-0x000000007FDB0000-0x000000007FDC0000-memory.dmp

Filesize
64KB

Download
memory/2480-167-0x0000000008130000-0x00000000087AA000-memory.dmp

Filesize
6.5MB

Download
memory/2480-170-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

Filesize
104KB

Download
memory/2480-176-0x0000000007B30000-0x0000000007B3A000-memory.dmp

Filesize
40KB

Download
memory/2480-179-0x0000000007BF0000-0x0000000007C86000-memory.dmp

Filesize
600KB

Download
memory/2480-180-0x0000000007B60000-0x0000000007B71000-memory.dmp

Filesize
68KB

Download
memory/2480-184-0x0000000007BA0000-0x0000000007BAE000-memory.dmp

Filesize
56KB

Download
memory/2480-185-0x0000000007BB0000-0x0000000007BC5000-memory.dmp

Filesize
84KB

Download
memory/2640-463-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3340-4-0x0000000001310000-0x0000000001326000-memory.dmp

Filesize
88KB

Download
memory/3340-129-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/3488-116-0x0000000005380000-0x0000000005C6B000-memory.dmp

Filesize
8.9MB

Download
memory/3488-118-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3488-193-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3488-115-0x0000000004F70000-0x0000000005377000-memory.dmp

Filesize
4.0MB

Download
memory/3496-20-0x0000000004A50000-0x0000000004AF2000-memory.dmp

Filesize
648KB

Download
memory/3496-22-0x0000000004C00000-0x0000000004D1B000-memory.dmp

Filesize
1.1MB

Download
memory/3532-1-0x0000000002FC0000-0x00000000030C0000-memory.dmp

Filesize
1024KB

Download
memory/3532-2-0x0000000000400000-0x0000000002D4A000-memory.dmp

Filesize
41.3MB

Download
memory/3532-5-0x0000000000400000-0x0000000002D4A000-memory.dmp

Filesize
41.3MB

Download
memory/3532-3-0x0000000002FB0000-0x0000000002FBB000-memory.dmp

Filesize
44KB

Download
memory/3568-452-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3568-475-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3568-471-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3568-466-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3568-460-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3568-479-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3568-483-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/3924-476-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3924-467-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4064-194-0x0000000004F80000-0x000000000537E000-memory.dmp

Filesize
4.0MB

Download
memory/4064-196-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/4064-195-0x0000000005380000-0x0000000005C6B000-memory.dmp

Filesize
8.9MB

Download
memory/4064-404-0x0000000000400000-0x000000000312D000-memory.dmp

Filesize
45.2MB

Download
memory/4648-399-0x0000027358710000-0x0000027358730000-memory.dmp

Filesize
128KB

Download
memory/4652-103-0x0000000073980000-0x0000000074131000-memory.dmp

Filesize
7.7MB

Download
memory/4652-162-0x0000000002860000-0x0000000004860000-memory.dmp

Filesize
32.0MB

Download
memory/4652-97-0x0000000073980000-0x0000000074131000-memory.dmp

Filesize
7.7MB

Download
memory/4652-105-0x0000000002860000-0x0000000004860000-memory.dmp

Filesize
32.0MB

Download
memory/4652-96-0x0000000000390000-0x00000000003B6000-memory.dmp

Filesize
152KB

Download
memory/4800-210-0x0000000073A80000-0x0000000074231000-memory.dmp

Filesize
7.7MB

Download
memory/4800-208-0x00000000057A0000-0x0000000005AF7000-memory.dmp

Filesize
3.3MB

Download
memory/4800-197-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/4800-198-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download